ghsa

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js.

### Impact When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with the PAT in plaintext to the `package-lock.yml` file. ### Patches The bug has been fixed in [dbt-core v1.7.3](https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.3). ### Mitigations Remove any git URLs with plaintext secrets from `package-lock.yml` file(s) on servers, workstations, or in source control. Rotate any tokens that have been written to version-controlled files.

JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the model management department.

JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the column management department.

JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the navigation management department.

### Impact The Candid library causes a Denial of Service while parsing a specially crafted payload with `empty` data type. For example, if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the rust candid decoder treats `empty` as an extra field required by the type. The problem with type `empty` is that the candid rust library wrongly categorizes `empty` as a recoverable error when skipping the field and thus causing an infinite decoding loop. Canisters using affected versions of candid are exposed to denial of service by causing the decoding to run indefinitely until the canister traps due to reaching maximum instruction limit per execution round. Repeated exposure to the payload will result in degraded performance of the canister. For asset canister users, `dfx` versions `>= 0.14.4` to `<= 0.15.2-beta.0` ships asset canister with an affected version of candid. #### Unaffected - Rust canisters using candid `< 0.9.0` or `>= 0.9.10` -...

From HackerOne report [#1948040](https://hackerone.com/reports/1948040) by Halit AKAYDIN (hltakydn) ### Impact _What kind of vulnerability is it? Who is impacted?_ The TinyMCE WYSIWYG editor fails to filter scripts when rendering the HTML in specially crafted HTML tags. ### Patches _Has the problem been patched? What versions should users upgrade to?_ This vulnerability was fixed in version 20.2.0 by upgrading TinyMCE to a recent version in https://github.com/OpenMage/magento-lts/pull/3220 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ The WYSIWYG editor features could be disabled in the configuration. Possibly some WAF appliances would filter this attack. ### References _Are there any links users can visit to find out more?_ The attack is simply an exploit of the "onmouseover" attribute of an `img` element as described on [OWASP XSS Filter Evasion](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet...

### Impact Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configuration allow users to launch _any_ pullable image, instead of restricting to only the single configured image, as intended. ### Patches Upgrade to DockerSpawner 13. ### Workarounds Explicitly setting `DockerSpawner.allowed_images` to a non-empty list containing only the default image will result in the intended default behavior: ```python c.DockerSpawner.image = "your-image" c.DockerSpawner.allowed_images = ["your-image"] ```

An issue present in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.

Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.0.